DoS attacks on ModSecurity: Exploiting critical bug in popular WAF

A critical vulnerability resulting in a denial-of-service error has been recently discovered in ModSecurity, a popular web application firewall (WAF) for Apache, IIS, and Nginx. The bug is truly severe: not only does the library stop working, but applications using it as well. Let’s see what was the mistake of the ModSecurity developers and how we, ethical hackers, can exploit this vulnerability in our penetration tests.

Read full article →


The deplorable four. Testing free antiviruses: Huorong, Preventon, Zoner, and FS Protection

Today, I am going to battle-test four antivirus programs: a British one, a Chinese one (featuring an original engine), a Finnish one, and an exciting Czech project at the beta-version stage. All of them are free and offer extra protection features aside from the basic system scan. Let’s pit the new antiviruses against hordes of trojans and worms I prepared for them!

Read full article →


Diabolically reddish pentest. Building tunneling chains through docker containers on a Hack the Box virtual machine

How to seize control over a host located in a different subnetwork? The right answer is: build numerous intricate tunnels. This article addresses tunneling techniques and their application in pentesting using as an example Reddish, a hardcore virtual machine (insane difficulty level: 8 out of 10) available on Hack The Box training grounds.

Read full article →